Databases Reference
In-Depth Information
5.
Executes at the operating system level—and begins scanning for
other systems to infect—thus propagating itself in an exponential
manner as do most worms
6.
Attempts to send a copy of the local password (SAM) database,
network configuration information, and other SQL server config-
uration information to a fixed e-mail address (ixtld@pos-
tone.com) via e-mail
Through step 5 the worm propagated itself rather quickly through many
corporate environments. The success of the infection is completely depen-
dent on the use of an empty
sa
password. Given that this was one of the
most successful worms of all time, you can understand how prevalent this
bad practice was (and hopefully is no longer). In fact, while this is no longer
true today, SQL Server used to ship with an empty
sa
password. It is there-
fore not too surprising that this worm was so successful, especially given
that this vulnerability also exists in SQL Server's “baby brother” Microsoft
Data Engine (MSDE), which runs embedded on so many workstations. Its
success has earned it a “respectable” contribution to make SQL Server the
fourth place in the SANS top 10 Windows vulnerabilities (see
www.sans.org/top20 for more information).
Interestingly enough, Microsoft published an article more than six
months before the eruption of Spida citing a new worm code-named “Voy-
ager Alpha Force” that also uses a blank
sa
password. In Article 313418,
Microsoft says:
A worm, code-named “Voyager Alpha Force,” that takes advantage of
blank SQL Server system administrator (
sa
) passwords has been
found on the Internet. The worm looks for a server that is running
SQL Server by scanning for port 1433. Port 1433 is the SQL Server
default port. If the worm finds a server, it tries to log in to the default
instance of that SQL Server with a blank (NULL)
sa
password.
If the login is successful, it broadcasts the address of the unpro-
tected SQL Server on an Internet Relay Chat (IRC) channel, and
then tries to load and run an executable file from an FTP site in the
Philippines. Logging in to SQL Server as
sa
gives the user administra-
tive access to the computer, and depending on your particular envi-
ronment, possibly access to other computers.
Search WWH ::
Custom Search